Uber suffers mass security breach, 50,000 driver records compromised

A database of drivers who work with the Uber app was accessed last May, resulting in the possible theft of information on 50,000 drivers.

In a statement, Uber managing counsel of data privacy Katherine Tassi said that it identified access to the database by “an unauthorised third party” and a small percentage of current and former Uber driver partner names and driver’s license numbers were contained in the database.

“Immediately upon discovery we changed the access protocols for the database, removing the possibility of unauthorised access,” Tassi said “We are notifying impacted drivers, but we have not received any reports of actual misuse of information as a result of this incident.

The investigation found that the access attempt was made in May 2014, but not detected until September, but the files that were accessed contained only the name and driver’s license number of some driver partners.

“Uber takes seriously our responsibility to safeguard personal information, and we are sorry for any inconvenience this incident may cause.”

Tassi also said that a “John Doe” lawsuit has been filed, so it can gather information that may lead to confirmation of the identity of the third party.

Ken Westin, security researcher at Tripwire, said: “Even though information may have been compromised in this case, Uber should be commended for having tools in place to detect unauthorised access in the first place.

“A large number of organisations don’t even have proper logging in place to detect unauthorised access to databases containing sensitive data. This means that there are a large number of data breaches that occur that have not been detected so the businesses and their customers/partners are not aware their information has been compromised.

“Uber is also being proactive in their notification to drivers that their information has been compromised which can have a significant impact on decreasing the potential fraud associated with the type of data that was stolen such as driver’s license numbers and personal data.

"Breaches will happen and it is refreshing to see that companies like Uber are investing in the proper tools to detect unauthorised access and other indicators of compromise.”